Issue with getting active session/user count on SSG service

cyoung3139 · ‎06-26-2013

Hello, everyone! I have an odd issue I am hoping osme of you can assist me with. We use two older Cisco 7200 series routers running SSG to handle access and authentication for one of our bulk ethernet services. This service has grown so we are replacing them with some Cisco 7301 routers to add more cability and support some upcoming expansion. I was able to get SSG up and running fine on the 7301 without issue and we plan to go live with them soon.

The issue: we like to monitor the routers with MRTG and keep track of the average number of users/connections active on each SSG router so we can do a good job of distributing the load between them. On the older 7200 series routers, we do a simple snmp poll to the router using an OID of

1.3.6.1.4.1.9.9.260.1.2.4.0, which tells us how many SSG connections are active on the router.

Example from a Linux prompt:

snmpwalk -v 2c -c public oldssg 1.3.6.1.4.1.9.9.260.1.2.4.0

SNMPv2-SMI::enterprises.9.9.260.1.2.4.0 = Gauge32: 1203

Using the OID on the new 7301, however, results in no data. A command-line snmpwalk using that OID on the 7301 results in the error:

snmpwalk -v 2c -c public newssg 1.3.6.1.4.1.9.9.260.1.2.4.0

SNMPv2-SMI::enterprises.9.9.260.1.2.4.0 = No Such Object available on this agent at this OID

Do I need to use a different OID on the 7301 to get the information as I did on the old SSG router? It is fairly critical that we be able to know how many active sessions are on the new SSG routers.

Thank you for any help you can provide.

Manuel Rodriguez · ‎06-27-2013

Hi Chad,

What if you do an snmpwalk on 1.3.6.1.4.1.9.9.260.1.2.4 (without including the last index). Do you get the same result?

Also, maybe you can try with 1.3.6.1.4.1.9.9.260.1.2.3 to get the number of active SSG sessions.

On a side note, be aware that SSG is a feature which is end of support from Cisco since May 14th 2012. You can refer to the end of life notice at:

- For C7200

http://www.cisco.com/en/US/prod/collateral/routers/ps341/end_of_life_notice_c51-501483.html

- For C7300

http://www.cisco.com/en/US/prod/collateral/routers/ps341/end_of_life_notice_c51-501483_ps352_Products_End-of-Life_Notice.html

I would strongly suggest to get in touch with your local Cisco Account Team or partner in order to plan a migration from SSG to ISG which is the feature substituting SSG.

Best regards.

cyoung3139 · ‎06-27-2013

To answer your questions:

snmpwalk -v 2c -c public newssg 1.3.6.1.4.1.9.9.260.1.2.4

SNMPv2-SMI::enterprises.9.9.260.1.2.4 = No Such Object available on this agent at this OID

snmpwalk -v 2c -c public newssg 1.3.6.1.4.1.9.9.260.1.2.3

SNMPv2-SMI::enterprises.9.9.260.1.2.3 = No Such Object available on this agent at this OID

As much as we would love to go to ISG, that is not an option. This router is an interim solution until we replace the entire SSG service with another option in the future.

Thanks!

Manuel Rodriguez · ‎06-28-2013

Hi Chad,

What if you run the snmpwal like the following:

snmpwalk -v 2c -c public newssg .1.3.6.1.4.1.9.9.260.1.2.4 ===> please note the '.' at the begining of the OID.

Do you get any result in that case?

Are you able to poll any object from the ciscoSsgMIB (1.3.6.1.4.1.9.9.260). What if you try to run an snmpwalk on that OID?

I don't know what IOS versio you are using here. Did you verify the MIB is available in that version? You can do that using the SNMP object navigator from Cisco.com (http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en)

Regards

cyoung3139 · ‎07-02-2013

Manuel,

Thanks for all your help. I found a solution to my problem. The Cisco 7301 was running IOS 12.4(24)T8 which does not support the SSG OIDs. I was able to back date the switch to 12.4(15)T17 and all is well.

In the future we will, of course, phase out the SSG product entirely and replace it with ISG or a similar product, but thanks for pointing in the right direction to get this router running for now.

Manuel Rodriguez · ‎07-03-2013

Hi Chad,

Good to hear my inputs were helpful for you and your device is up and running now.

Best regards.